Hello guys,
Since i don’t know too much regarding Mikrotik, i would appreciate your help regarding this issues. I am facing many failed log in on my mikrotik with winbox.
I have disabled every service on Service List except winbox because i log in from it. Is this serious at all ?
Appreciate your help.
Best,
Don’t keep winbox open from the internet, otherwise, all kinds of attackers will target it. If you need to connect from the internet side, you can set up an IPsec VPN connection and only open that for public networks, but block winbox access.
Thank you for your replay Normis.
I only want to access winbox from my work. If i disable winbox from the internet how can i log in only from my work’s?
Appreciate your help!
Best,
Like I described, you must make a VPN tunnel with IPsec. Then your router can only allow VPN access, not Winbox access.
You need WinBox and have to leave it on.
Close it at the internet facing interface with the Firewall.
If you are using the default firewall then make sure your interface towards internet is in the “WAN” interface list.
Your local interfaces (or the bridge if they are ports on a bridge) should be in the “LAN” interface list.
The default firewall allows only acces from the LAN (or !WAN = not WAN) interface list.
If “your work” has a set of fixed public IP’s you could add them to the Winbox service so you are allowed from there.
(eg. "set winbox address=ip/prefix to allow port=port_on_which_you_want_winbox_to_listen
If not, then either have some VPN-construction or Port-Knock sequence in place to allow it.
Thank you very much for your help!
Yes, we have a Static IP. I will try to add a firewall filter like this :
Chain: input
Src.add: My computer IP
Action: accept
And another filter
Chain: forward
Src.address 0.0.0.0/24
Action: drop
Will this drop everyone except my computer IP to winbox ?
Best,
Chain: input
Src.address 0.0.0.0/0
Action: drop
“Input” is to the Mikrotik, “forward” is towards the other interfaces
You are dropping everything to input from all interfaces. !? Should filter a bit more, to incoming interface or incoming interface list, and the Winbox port used. (8192?)
Less safe than a VPN. (encryption, certificates, IP address spoofing)
What I do is make a SSTP VPN connection from the “to be managed Mikrotik”, towards the place from where I manage. (Only outgoing connections at the Mikrotik to be managed)
FYI: Anyone you know?
Chain: input
Src.address 0.0.0.0/0
Action: drop
This will also drop your local connection inside your home. So first add ALL the safe IP addresses with “accept”, only then block 0.0.0.0
@bpwl, Don’t know anyone from there and seems strange. I am trying to figure where did they find our mikrotik exposed etc.
As i said i am new to this!
Tried this :
These two are 2 ip that tried to attack.
@Normis
Added only my computer IP to accept and droped everything but everyone has internet till know.
Should i add all the computers IP with accept ?
Thanks guys!
There’s a lot of malware which crawls all public IPs and looks for open service ports. The owners of those IP addresses may not even know that their device has been infected and is now doing this.
One more time:
Besides, from your screenshot it is not clear whether those firewall rules are the only ones you have or whether the firewall rules from the default configuration are in place.
If the machine was exposed to internet with no firewall in place, it may be infected by now - those people keep looking for security holes and exploiting them, and the fact that brute forcing the password via WinBox didn’t succeed doesn’t mean that other malware could not have used some other vulnerability and squat on your machine. The only way to be sure that there is no malware is to netinstall the machine and apply a default configuration including the default firewall rules, and then redo the existing configuration again. Restricting access to the router itself via WAN to your office’s address is of course 1000 times better than the current state, but still a malware running on any device in your office can get there. So setting up a VPN from your PC alone as @Normis suggests is another 100 times better.